This release of ART v1.3.0 is extending ART to a library for machine learning security covering Evasion, Poisoning, Extraction and Inference. The Inference module is a new addition and includes implementations of attribute inference and model inversion attacks. A new Estimator API has been implemented and extends ART 1.3.0 from a library for classification tasks towards a library supporting all possible machine learning tasks including object detection. Multiple state-of-the-art attacks and defenses have been implemented. The READMEs have been redesigned and new Wiki pages have been created.
Added
- Added a new Estimator API `art.estimators` to abstract machine learning models in ART. It is replacing the previous Classifier API `art.classifiers`. The new Estimators API is flexible and extensible to support all possible machine learning tasks. The estimator API currently contains implementations for classification, object detection, certification, encoding, generation models. (350)
- Added a framework-specific and model-specific estimator implementation for PyTorch FasterRCNN (torchvision.model.detection.fasterrcnn_resnet50_fpn` as first object detector estimator. All object detector estimators currently support DPatch, ProjectedGradientDescent, BasicIterativeMethod, and FastGradientMethod evasion attacks. (350)
- Add a new type of attacks with Inference in `art.attacks.inference` and first implementations of Attribute Inference and Model Inversion attacks (439, 428)
- Added progress bars using `tqdm` to all attacks and defenses to provide information about progress to the user. (447)
- Added install options to `setup.py` for frameworks and complete installs. So far ART only installed general non-framework dependencies. This update provides complete install for options all, tensorflow, pytorch, keras, mxnet, xgboost, lightgm, catboost, gpy, and docs. (446)
- Added dependabot.yml to use GitHub’s Dependabot to propose updates to ART’s dependencies. (449)
- Added AutoAttack as a new evasion attack. AutoAttack applies a group of white- and back-box attacks (default: AutoPGD with cross-entropy and with difference-logits-ratio loss, SquareAttack, DeepFool) and is an attack approach that achieves state-of-the-art performance in defense evaluations. (400)
- Added Auto Projected Gradient Descent (AutoPGD) as a new evasion attack. AutoPGD adapts its step size to guarantee increasing loss in each step. (400)
- Added SquareAttack as a new evasion attack. SquareAttack is a black-box attack based on random search and achieves white-box performance. (400)
- Added ShadowAttack as new evasion attack. ShadowAttack creates large, but naturally looking perturbations that can to spoof certificates of classifiers certified for example by Randomised Smoothing. (409)
- Added Wasserstein Attack as a new evasion attack. Wasserstein Attack generates adversarial examples with minimized Wasserstein distances which allow large Lp perturbations in still naturally looking examples. (422)
- Added DefenceGAN and InverseGAN as new preprocessor defenses. These defenses are based on Generative Adversarial Networks to remove adversarial perturbations. (411)
- Added the adversarial training protocol Fast Is Better Than Free as a trainer defense for PyTorch models. The Fast Is Better Than Free protocol allows very fast training of adversarially robust models. (435)
- Added H.264/MPEG-4 AVC video compression as preprocessor defense. This defense attempts to remove adversarial perturbations with compression of video data. (438)
- Added Feature Collision Clean Label attack as a new poisoning attack for KerasClassifier. This attack allows poisoning the training of a model without modifying the training labels just by adding a modified training example. (389)
- Added support for custom loss gradients at any layer of neural network in KerasClassifier. This method allows very sophisticated loss functions to create adversarial examples that imitate the feature representation of benign samples at any layer of the neural networks. Support of this method will be extended to other frameworks in future releases. (389)
- Added framework-specific implementations of ProjectedGradientDescent (PGD) evasion attack for TensorFlow v2 and PyTorch. It follows a new concept in ART where an attack implementation based on Numpy, if available, is compatible with all frameworks and framework-specific implementations can be added that take full advantage of a certain framework and only must support ART estimators for this framework. This enables ART to provide attack implementations that run as fast and accurate as possible and it will facilitate integration of original implementations by the attacks’ creators without the need to translate them into implementations based on Numpy. (390)
- Added utilities for deprecation of methods and arguments. (421)
- Added new metric for Wasserstein distance. (410)
- Added the Spectral Signature Defense as a new detector defense against poisoning. This defense uses spectral signatures to detect and defeat backdoor attacks. (398)
- Added Mp3 compression as a new preprocessor defense. This defense attempts to remove adversarial perturbations in audio data using MP3 compression. (391)
- Added resampling as a new preprocessor defense. This defense attempts to remove adversarial perturbations in audio data by resampling the data. (397)
- Added Feature Adversaries attack as a new evasion attack. This attack generates adversarial examples that minimize the difference in feature representation to a benign sample at a certain layer of a neural networks. (364)
- Added DPatch as new evasion attack against object detectors. This attack creates digital patches that draw the attention of object detectors to the patch area to prevent the detection of object outside of the patched area. (362)
- Added a new Docker image providing installations of all machine learning frameworks supported by ART and the dependencies of ART. (386)
- Added a new method to check a model for obfuscated/vanishing/masked gradients. (376)
- Added a framework-specific implementation of the AdversarialPatch physical evasion attack for TensorFlow v2. This implementation provides more accurate loss gradients than the Numpy implementation. (357)
- Added Frame Saliency Attack as a new evasion attack. This attack creates adversarial examples with sparse and imperceptible perturbations, primarily intended for video data. (358)
- Added Python typing to all source files of ART and a mypy check to all Travis CI runs. (425)
Changed
- Extended notebooks demonstrating attacks and defenses with audio and video data. (463)
- Changed `KerasClassifier` to accept wildcards in the models input shape. (458)
- Deactivated the gradients computation during model evaluation in `PyTorchClassifier.predict` which accelerates the prediction by a factor of ~2 or more. (452)
- Changed `art.defence.detector.poison.ActivationDefence` to also support data provided with `art.data_generators` to support datasets larger than the available memory. (442)
- Changed default value of `apply_predict` for `art.defences.preprocessor.JpegCompression` to True to apply it during prediction by default. (440)
- Removed smoothing factor in tanh to original transformation in `CarliniL2Method` and `CarliniLInfMethod` attacks to prevent input values that are extremely close to either of the clip values to be transformed to values outside of the clip values. (428)
- Changed `art.defences.preprocessor.SpatialSmoothing` preprocessor defense to support video data. (415)
- Changed `art.defences.preprocessor.JpegCompression` preprocessor defense to support video data. (412)
- Changed copyright notice to “The Adversarial Robustness Toolbox (ART) Authors” and listed original copyright holders in new file AUTHORS. (406)
- Changed internal format of `clip_values` from tuple of `int` or `float` to `numpy.nadarray` with `dtpye=np.float32`. (392)
- Moved poison detection defences to new module `art.defences.detector.poison`. (399)
- Moved Randomized Smoothing from wrapper `art.wrappers` to new estimators in module `art.estimators.certification` for TensorFlow and PyTorch and removed `art.wrappers.RandomizedSmoothing`. (409)
Removed
- Deprecated argument `channel_index` of `art.classifiers` and replaced it with argument `channels_first` in `art.estimators`. The new argument `channels_first` follows usage in the frameworks to describe as a Boolean if the channels dimension is the first or last dimension of a sample. The argument `channel_index` will be removed after ART 1.4. (429)
Fixed
- Fixed several bugs in `ThermometerEncoding` preprocessor defense, implementing the correct forward pass and implemented `estimate_gradients` to provide gradients in the original space instead of the discretized/encoded space. (467, 468)
- Fixed bug in Boundary Attack to ensure that the adversarial example is projected back to the sphere in each iteration. (426)
- Fixed memory leak in `KerasClassifier.get_activations` by reusing the Keras function calculating the activations. (417)
- Fixed RGB-BGR conversion bug in Boundary attack notebook. (402)
- Fixed bug in `ActivationDefence` for RGB images. (388)
- Fixed bug in `PixelAttack` and `ThresholdAttack` to now return the benign image if no adversarial example has been found. (384)